b'                      U.S. SMALL BUSINESS ADMINISTRATION\n                         OFFICE OF INSPECTOR GENERAL\n                             WASHINGTON, D.C. 20416\n\n                                                                AUDIT REPORT\n\n                                                          Issue Date: March 30, 2000\n                                                          Number: 0-15\n\n\n\nTo:           Lawrence E. Barrett, Chief Information Officer\n\nFrom:         Robert G. Seabrooks,\n              Assistant Inspector General for Auditing\n\nSubject:      Audit of SBA\xe2\x80\x99s Proposed Systems Development Methodology\n\n       SBA\xe2\x80\x99s strategic goals depend heavily on the development of new information\nsystems. In the past, however, SBA has been criticized for inadequate planning and\npoor systems development procedures. The Office of the Chief Information Officer\n(OCIO) is, therefore, developing a \xe2\x80\x9cSystems Development Methodology\xe2\x80\x9d (SDM) to help\naccomplish its strategic goals and address those criticisms. The SDM is a set of\nprocedures and quality controls intended to reduce risks in the development of new\nsystems and ensure that systems function as intended. In response to a request by the\nOCIO, the Auditing Division of the Office of Inspector General reviewed and evaluated\nthe proposed SDM.\n\n      The proposed SDM, modeled on one obtained from the Department of Housing\nand Urban Development, is divided into six phases:\n\n\xe2\x80\xa2   Initiate Project: The need for the system is defined and validated. A project plan is\n    developed; a feasibility study, risk analysis, and cost/benefit analysis are conducted;\n    and the proposed system is categorized in terms of platform, development\n    techniques, and type of effort.\n\n\xe2\x80\xa2   Define System: System objectives are expanded into specific, detailed functional\n    and data requirements, which form the basis for the detailed design of the system.\n\n\xe2\x80\xa2   Design System: Detailed specifications are developed that emphasize the physical\n    solution to the users\xe2\x80\x99 information management needs.\n\n\xe2\x80\xa2   Build System: Developers transform the information provided in the Design System\n    phase into machine-executable form, and ensure that all of the individual\n    components of the system function correctly and interface properly with other\n    components.\n\x0c\xe2\x80\xa2   Evaluate System: Independent testers measure the system\xe2\x80\x99s ability to perform the\n    functions required by the users and ensure an acceptable level of performance.\n\n\xe2\x80\xa2   Operate System: The system is initially installed at a pilot site and eventually\n    released into its full-scale production environment. Training in using the system is\n    conducted and system performance is monitored.\n\n                                  OBJECTIVES AND SCOPE\n\n       The objectives of our review were to determine whether the proposed SDM (1) is\nconsistent with government and industry standards, and (2) will help ensure that new\ninformation systems are developed on time, within budget and with the intended\nfunctionality. We used guidance obtained from the Information Systems Audit and\nControl Association (ISACA) to evaluate the SDM. That guidance incorporates criteria\nestablished by the Office of Management and Budget, General Accounting Office,\nNational Institute of Standards and Technology, Department of the Treasury, other\nFederal Agencies and the Institute of Electrical and Electronic Engineers.\n\n       We evaluated the proposed SDM with respect to its structure, key closure\n       1\npoints, security and internal controls, participation and responsibilities of key groups,\ncommunications between key groups, and documentation and programming standards.\nFieldwork was conducted from August 1999 through February 2000 at SBA\nHeadquarters in Washington, DC. The review was conducted in accordance with\nGovernment Auditing Standards.\n\n                                      RESULTS OF AUDIT\n\n       We found that the proposed SDM (1) is generally consistent with government\nand industry standards, and (2) will help ensure that new information systems are\ndeveloped on time, within budget and with the intended functionality. We did note,\nhowever, some differences between the SDM and applicable guidelines as described\nbelow.\n\nSpecify a Role for the OIG in the Initiate Project Phase\n\n        Although the proposed SDM does specify OIG (audit) roles that are consistent\nwith the ISACA guidance in the subsequent phases, it does not specify an OIG role in\nthe Initiate Project phase. In the Initiate Project phase, the ISACA guidance specifies\nthe audit role of reviewing and evaluating the \xe2\x80\x9cNeeds Statement\xe2\x80\x9d and other phase\ndeliverables. The requirements of this phase are critical to the success of subsequent\nphases, and specifying a role for the OIG can help ensure those requirements are\nsatisfied before subsequent phases are initiated.\n\n1\n Closure points are the formal end to a phase that require completion of documentation and may require\nmanagement review meetings to ensure that all phase activities have been carried out and all\ndeliverables have been completed.\n                                                  2\n\x0cAddress Records Management Requirements\n\n       In the Define System phase, the proposed SDM calls for determination of\nfunctional requirements in several categories, such as performance, security, and\ninternal controls, but it does not specifically call for determination of records\nmanagement requirements. Federal government agencies are required to preserve and\nmaintain records of their organization, functions, policies, decisions, procedures,\noperations and activities. With respect to automated information systems that create,\nprocess and maintain electronic records, there are a number of specific federal records\nmanagement requirements. Accordingly, Title 36 CFR section 1234.10 requires\nagencies to establish procedures for addressing records management requirements\nbefore approving new electronic information systems or enhancements to existing\nsystems. The SDM could be improved by designating a role for the agency\xe2\x80\x99s records\nmanager in the Define System phase, with responsibility for determining records\nmanagement requirements.\n\nRequire Development of a Vulnerability, Threat, Safeguard Matrix\n\n        The proposed SDM currently calls for identification of system assets, associated\nthreats and vulnerabilities, and appropriate countermeasures to safeguard against\nthem, but it does not specify a standardized deliverable to help ensure accomplishment\nof this requirement. According to the ISACA guidance, good system development\nmethodologies specify preparation of predefined products and deliverables, and in\nbetter methodologies these products are standardized. The proposed SDM does\nspecify a number of predefined products and deliverables, such as checklists and\nanalyses, to help ensure the satisfaction of key requirements. A matrix, as illustrated\nbelow, is an example of a standardized deliverable that would help ensure\ncomprehensive identification of threats, vulnerabilities, and safeguards for all system\nassets and components.\n\n Asset Category           Threat             Vulnerability        Safeguard(s)\nComputer             Destruction          Fire                 Fire Suppression\nHardware                                                       System\nMission Critical     Unauthorized         Network              Firewalls, Access\nData                 Disclosure,          Penetration          Controls, Data\n                     Modification or                           Encryption\n                     Destruction\n\nComplete the Application and Programming Standards and Related Documents\n\n       SBA\xe2\x80\x99s current programming and applications standards are either outdated or\nincomplete. The official standards document is the OIRM Operations and ADP\nStandards Manual, created in 1990, when major applications were developed on\nmainframe computer systems. Per OCIO personnel, this manual is not suited for client-\nserver system development \xe2\x80\x93 currently the agency\xe2\x80\x99s primary development platform.\n\n\n                                           3\n\x0c        Client-server development standards are addressed in a separate document that\nis not complete at this time (OISS Application Standards). The chapter of the document\nthat pertains to programming standards is complete, however, and should be\nincorporated in the SDM either by reference or as an appendix.\n\n       The ISACA guidelines specify that organizations must identify and follow policies,\nprocedures and standards in developing automated information systems. Some of the\npolicies, procedures and standards referred to in the SDM, however, have not yet been\ndeveloped. These include:\n\n      \xe2\x80\xa2      Cost / Benefit Analysis Methodology\n      \xe2\x80\xa2      Standard Release Procedures\n      \xe2\x80\xa2      Gap Analysis Procedures\n\n      Without complete guidance and reference documentation, there is a greater\nchance that system development projects may deviate from acceptable practices.\n\nRecommendations\n\nWe recommend that the Chief Information Officer:\n\n1A.   Make the following changes to the proposed SDM, and establish the SDM as\n      official agency policy for system development projects.\n\n      \xe2\x80\xa2   Modify Table 1-11 to designate a role in the Initiate System phase for the\n          OIG, with the responsibility to review phase products to ensure critical\n          requirements have been satisfied.\n\n      \xe2\x80\xa2   Modify section 2.0 to designate a role for the agency records manager with\n          the responsibility to ensure that federal records management requirements\n          are defined.\n\n      \xe2\x80\xa2   Modify section 1.6 to require the preparation of a threat, vulnerability and\n          safeguard matrix, or other standardized deliverable, to help ensure\n          safeguards are identified for all significant asset threat combinations.\n\n      \xe2\x80\xa2   Incorporate Chapter 4 of the OISS Application Standards in the SDM either\n          by reference or as an appendix, and specify in section 4.3.2 that these are the\n          standards to be followed for client-server development projects.\n\n1B.   Establish responsibilities, budgets, milestones and deliverables to ensure\n      completion of the Programming and Application Standards, Cost / Benefit\n      Analysis Methodology, Standard Release Procedures, and Gap Analysis\n      Procedures.\n\n\n\n                                            4\n\x0c                                Management Response\n\n       The Chief Information Officer responded that his office is committed to adopting a\nSystems Development Methodology (SDM) that is robust, flexible, useful, and conforms\nto government and industry standards. He also agreed to implement the report\xe2\x80\x99s\nrecommendations.\n\n                                    OIG Evalulation\n\n      The Chief Information Officer\xe2\x80\x99s reply was responsive to the report.\n\n\n\n                                         ***\n       This report is based on auditors\xe2\x80\x99 conclusions and their review of the proposed\nSDM and relevant standards. The findings and recommendations are subject to\nreview and implementation of corrective action by your office following the\nexisting Agency procedures for audit follow-up and resolution.\n\n       This report may contain proprietary information subject to the provisions of 18\nUSC 1905. Do not release to the public or another agency without permission of the\nOffice of Inspector General.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg,\nActing Director, Business Development Programs Group at (202) 205-7204.\n\n\n\n\n                                            5\n\x0c                                           REPORT DISTRIBUTION\n\n\nRecipient                                                                                      No. of Copies\n\n\nAssociate Deputy Adminstrator for Management and Administration ........1\n\nAssociate Adminstrator, Office of Disaster Assistance...............................1\n\nChief Financial Officer ................................................................................1\n\nGeneral Counsel ........................................................................................2\n\nU.S. General Accounting Office .................................................................1\n\x0c'